[ 
https://issues.apache.org/jira/browse/CXF-8414?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Will Croteau updated CXF-8414:
------------------------------
    Labels: OIDC  (was: )

> OAuth 2.0: authorize response_type order matters
> ------------------------------------------------
>
>                 Key: CXF-8414
>                 URL: https://issues.apache.org/jira/browse/CXF-8414
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 3.4.2
>            Reporter: Will Croteau
>            Priority: Major
>              Labels: OIDC
>
> Per the OAuth2 Specification:
> If a response type contains one or more space characters (%x20), it
> is compared as a space-delimited list of values in which the order of
> values does not matter. Only one order of values can be registered,
> which covers all other arrangements of the same set of values.
> For example, the response type "token code" is left undefined by this
> specification. However, an extension can define and register the
> "token code" response type. Once registered, the same combination
> cannot be registered as "code token", but both values can be used to
> denote the same response type.
> OidcImplicitService and OidcHybridService both support multiple response 
> types, but require specific ordering. This is a violation of the OAuth2 
> specification.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to